In part 2 of their series on the Brador Trojan horse for the Pocket PC, Cyrus Peikari, Seth Fogie, Ratter/29A, and Jonathan Read take us on a detailed tour of exactly how this nasty piece of business works.

From the author of

From the author of

Back to Work

Now that we've done a macro analysis in part 1, we get to the fun part:
reverse-engineering the first Pocket PC Trojan. To perform micro analysis, you
should be familiar with assembly language. In addition, you have to know the
specific assembly registers used by the ARM processor. We've included a few
paragraphs here from Security Warrior (O'Reilly, 2004) to give you
an overall review.

The Advanced RISC Microprocessor (ARM) is a low-power, 32-bit microprocessor
based on the Reduced Instruction Set Computer (RISC) principles. In particular,
the ARM is used in small devices that have a limited power source and low
threshold for heat, such as PDAs, telecommunication devices, and other miniature
devices that require a relatively high level of computing power.

There are a total of 37 registers within this processor that hold values used
in the execution of code. Six of these registers are used to store status values
needed to hold the results of compare and mathematical operations, among others.
This leaves 31 registers to the use of the program, of which a maximum of 16 are
generally available to the programmer. Of these 16, Register 15 (R15) is used to
hold the Program Counter (PC), which is used by the processor to keep track of
where in the program it is currently executing. R14 is also used by the
processor as a subroutine link register (Lr), which is used to temporarily hold
the value held by R15 when a Branch and Link (BL) instruction is executed.
Finally, R13, known as the Stack Pointer (Sp), is used by the processor to hold
the memory address of the stack, which is used to hold all values about to be
used by the processor in its execution.

In addition to these first 16 registers, some debuggers allow the programmer
to monitor the last four registers (2831), which are used to hold
conditional values. These registers are used to hold the results of arithmetic
and logical operations performed by the processor (addition, subtraction,
compares, and so on). Here's a list of the registers and their purposes (in
descending order because the processor bits are read from high to low):

R31: Negative/less than

R30: Zero

R29: Carry/borrow/extend

R28: Overflow

For more on Windows CE reverse-engineering, as well as software reversing in
general, check out
Security Warrior.